Procedure
The procedure for connecting to SURFconext as an IdP is as follows:
- Request that your IdP is added to SURFconext by sending an email to surfconext-beheer@surfnet.nl
- Your request will be evaluated
- When your request is accepted by SURFconext, send the necessary information (see below) to surfconext-beheer@surfnet.nl
- Add the SURFconext metadata to your IdP configuration.
- SURFconext will add you as an IdP and will notify you when this is done
- Verify correct configuration by logging in to an SP
- Have the status of your SP changed to production by emailing surfconext-beheer@surfnet.nl
Necessary information
When a SURFnet institution wants to connect to SURFconext as an IdP, the following information needs to be provided by the institution:
- IdP SAML2 metadata. The IdP metadata should at least contain the following information:
- SingleSignOnService element with Binding and Location
- x509 certificate that is used for signing messages
- Extra information describing your institution, fields marked with a * are mandatory:
Information |
Example value |
Description |
---|---|---|
url * |
The URL of the institution (usually points to the institutions homepage) |
|
organization:OrganizationName:nl * |
Universiteit van Monnickendam |
Dutch name of the organisation running the IdP |
organization:OrganizationName:en * |
University of Monnickendam |
English name of the organisation running the IdP |
organization:OrganizationDisplayName:nl * |
Universiteit van Monnickendam |
Dutch name suitable for display purposes of the organisation running the IdP |
organization:OrganizationDisplayName:en * |
University of Monnickendam |
English name suitable for display purposes of the organisation running the IdP |
logo * |
universiteitvanmonnickendam.gif |
The logo of the IdP that users who want to login will recognize as representing their institution. Logo format should be delivered in GIF, JPG or PNG format with a maximum size of 108 x 48 pixels (width x height). A URL to an image is acceptable, but this image will be copied to a SURFconext location. Any updates to this image after the IdP registration is complete will not be processed. |
logo width |
107 |
Width of the logo in pixels (maximum 108 pixels) |
logo height |
51 |
Height of the logo in pixels (maximum 48 pixels) |
keywords:nl * |
universiteit monnickendam uvm |
Dutch keywords users can use when searching for a specific IdP |
keywords:en * |
universiy monnickendam uvm |
English keywords users can use when searching for a specific IdP |
Configuring SURFconext as an SP in your IdP
The following attributes are required to send to SURFconext in the SAML assertion:
urn:mace:dir:attribute-def:uid
urn:mace:terena.org:attribute-def:schacHomeOrganization
The following attributes are also supported, and may be useful to service providers (and SURFconext itself) as well:
urn:mace:dir:attribute-def:displayName
urn:mace:dir:attribute-def:mail
Using SimpleSAMLphp as IdP
Assuming your SimpleSAMLphp is connected to your local LDAP you need to modify the elements by adding the urn
prefix and making schacHomeOrganization
available.
The following can be configured in metadata/saml20-sp-remote.php
, make sure to replace schacHomeOrganization
with your institute's domain:
$metadata['https://engine.surfconext.nl/authentication/sp/metadata'] = array ( 'AssertionConsumerService' => 'https://engine.surfconext.nl/authentication/sp/consume-assertion', 'authproc' => array( /* add schacHomeOrganization attribute */ 10 => array( 'class' => 'core:AttributeAdd', 'schacHomeOrganization' => 'frkosp.wind.surfnet.nl', ), /* add the 'urn' prefix to all supported attributes (if available from LDAP) */ 20 => array( 'class' => 'core:AttributeMap', 'uid' => 'urn:mace:dir:attribute-def:uid', 'sn' => 'urn:mace:dir:attribute-def:sn', 'givenName' => 'urn:mace:dir:attribute-def:givenName', 'cn' => 'urn:mace:dir:attribute-def:cn', 'displayName' => 'urn:mace:dir:attribute-def:displayName', 'mail' => 'urn:mace:dir:attribute-def:mail', 'eduPersonPrincipalName' => 'urn:mace:dir:attribute-def:eduPersonPrincipalName', 'eduPersonEntitlement' => 'urn:mace:dir:attribute-def:eduPersonEntitlement', 'eduPersonAffiliation' => 'urn:mace:dir:attribute-def:eduPersonAffiliation', 'schacHomeOrganization' => 'urn:mace:terena.org:attribute-def:schacHomeOrganization', ), ), );
In order to provide more details about your IdP, below is an example snippet that can be added to metadata/saml20-idp-hosted.php
:
'UIInfo' => array( 'DisplayName' => array( 'en' => 'University of Monnickendam', ), 'Description' => array( 'en' => 'An IdP operated by University of Monnickendam', ), 'Keywords' => array( 'en' => array('universiteit','monnickendam'), ), 'Logo' => array( array( 'url' => 'http://www.uvm.nl/universiteitvanmonnickendam.gif', 'height' => 51, 'width' => 107, ), ), ),